The bill regulates the collection, by entities public or private, (other than public health authorities or healthcare providers) of "emergency health data."

Emergency Health Data

Emergency Health Data is defined as data linked or reasonably linkable to an individual or device, including data inferred or derived about the individual or device from other collected data, provided such data is still linked or reasonably linkable to the individual or device, that concerns the public COVID–19 health emergency. It includes;

Past or present health condition

Data derived from testing

Whether a person has contracted or is likely to contract a disease

Genetic data, biometric samples or biometric data

Other data collected in conjunction with other emergency health data or for the purpose of tracking, screening, monitoring, contact tracing or mitigation, or otherwise responding to the COVID–19 public health emergency, including

proximity data, when such term means information that identifies or estimates the past or present physical proximity of one individual or device to another, including information derived from Bluetooth, audio signatures, nearby wire2 less networks, and near-field communications

demographic data

contact information for identifiable individuals or a history of the individual’s contacts over a period of time, such as an address book or call log
AND

any other data collected from a personal device.

Service Providers

The bill does not apply to service providers and provides a definition of service provider which is similar in some aspects, but not identical to the definition of "service provider" under the California Consumer Privacy Act (CCPA):

A person who collects, uses or discloses emergency health data for the sole purpose of, and only to the extent that such entity is, conducting business activities on behalf of, for the benefit of, under instruction of and under contractual agreement with a covered organization.

It does not include a person who develops or operates a website, web application, mobile application or smart device application for the purpose of tracking, screening, monitoring, contact tracing or mitigation, or otherwise responding to the COVID–19 public health emergency.

Third Party

It also defines a "third party," in a manner different than CCPA. "Third party’’ means, with respect to a covered organization:

Another person to whom such covered organization disclosed emergency health data
AND

A corporate affiliate or a related party of the covered organization that does not have a direct relationship with an individual with whom the emergency health data is linked or is reasonably linkable.

it does not include:

A service provider of such covered organization
OR

A public health authority

Data Protection Principles

For collection of health emergency data, the bill requires upholding key data protection principles that are similar to those quoted in the Republican COVID-19 privacy bill and, to some extent in the European Union's General Data Protection Regulation and CCPA:

Proportional/necessary: Collect, use or disclose such data that is necessary, proportionate and limited for a good faith public health purpose, including a service or feature to support such a purpose.

Accuracy/rectification: Take reasonable measures, where possible, to ensure the accuracy of emergency health data and provide an effective mechanism for an individual to correct inaccurate information.

After an individual revokes consent, the covered organization shall cease collecting, using or disclosing the individual’s emergency health data as soon as practicable, but in no case later than 15 days after the receipt of the individual’s revocation of consent.

Privacy Notice/Disclosure

A covered organization is required to provide the individuals with a notice that describes:

How and for what purposes the covered organization collects, uses and discloses emergency health data

The categories of recipients to whom it discloses data

The purpose of disclosure for each category

The data retention and data security policies and practices for emergency health data
AND

Describes how an individual may exercise the rights under this Act and how to contact the Commission to file a complaint.

Deletion

A covered organization must destroy or render not linkable that individual's emergency health data not later than 30 days after the receipt of an individual’s revocation of consent.

A covered organization must not use or maintain the information the later of 60 days after the termination of the public health emergency declared or 60 days from collection.

Deletion is defined as: Data shall be destroyed or rendered not linkable in such a manner that it is impossible or demonstrably impracticable to identify any individual from the data.

Exceptions

The bill is not meant to prohibit collection of information for the purpose of scientific research.

It does not apply to Covered Entities or Business Associates under HIPAA.

Enforcement

A violation of this act shall be deemed a deceptive or unfair act under the FTC Act and subject to enforcement by the FTC, including with respect to common carriers and nonprofit entities.

Additional enforcement can be done by state AG's and any other officer of the state authorized by the state to do so.

Individuals are granted a private right of action to bring claims with statutory damages of:

An amount not less than $100 and not greater than $1,000 per violation against any person who negligently violates a provision of this Act.

An amount not less than $500 and not greater than $5,000 per violation against any person who recklessly, willfully or intentionally violates a provision of this Act.

Reasonable attorneys fees and litigation costs.
AND

Any other relief, including equitable or declaratory relief, that the court determines appropriate.

Odia Kagan is a partner in the firm's Privacy & Data Security Practice and Chair of the firm's GDPR Compliance & International Privacy Practice. She can be reached at 215.444.7313 or [email protected].